« Thunderbird Released With Security Fixes | Main | Computerworld Security predictions for 2009 »

MS08-067 Worm on the Loose

Dshield has published a report of a new MS08-067 worm spreading.

"It does various things to install and hide itself on the infected computer.  It removes any System Restore points that the user has set and disables the Windows Update Service.  It looks for ADMIN$ shares on the local network and tries to brute force the share passwords with a builtin dictionary.  At this point in time, the worm's purpose appears to be simply to spread and infect as many computers as possible.  After January 1, 2009, it will try to reach out to a variety of web sites to pull down an updated copy of itself.  You can find examples of the domain names in the Symantec W32.Downadup.B writeup.

The general form of the URL that it generates is: http://[GENERATED DOMAIN NAME].[TOP LEVEL DOMAIN]/search?q=%d so you could configure proxy servers or IDS sensors to start looking for "/search?q=%d" to find systems on your network that may have possibly been compromised by this worm."

Read more: http://isc.sans.org/diary.html?storyid=5596
Additional Information on MS08-067: http://www.cgisecurity.net/2008/10/emergency-micro.html


Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!